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SYSTEM AND METHOD OF BOOTSTRAPPING A TEMPORARY PUBLIC-KEY 
INFRASTRUCTURE FROM A CELLULAR TELECOMMUNICATION 
AUTHENTICATION AND BILLING INFRASTRUCTURE 

Field of the Invention 

The invention relates to a system and method of bootstrapping a public-key 
infrastructure to enable secure payment of goods and services using a mobile terminal. 
More particularly, the invention is a system and method in which subscribers of a 
cellular telecommunication system can buy goods and services from sellers and 
arrange for payment through the subscriber's telephone bill using a mobile terminal 
which ensures that errors and fraud do not take place relating to the payment. 

Background of the Invention 

It has been common for buyers to pay for goods and services using credit and 
debit cards. The use of credit cards has eliminated the need to carry large amounts of 
cash in order to pay for these goods and services. Further, the use of a credit card has 
eliminated the need for car rental agencies and hotels to require large deposits in order 
to assure return of vehicles or to reserve rooms. Thus, the use of credit cards has 
facilitated the transacting of business and thus provides a significant convenience to the 
buyer. However, credit cards have also facilitated the occurrence of fraud and errors 
in which the customer is double billed for the same item or billed the incorrect amount. 

With the explosion in Internet access and usage, an increasing volume of 
business is occurring between individuals and firms, who have never seen each other, 
let alone engaged in any prior business transactions. Currently, a typical Internet user 
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would have a browser installed in his local computer or server such as Internet 
Explorer™ or Netscape™. Using this browser, the user would access an Internet 
service provider, such as America-On-Line (AOL™), via a modem over the local public 
switched telephone network (PSTN). Once logged onto the Internet server, the user 
5 may utilize one of the many search engines, such as Yahoo™ or Lycos™, to specify 
search terms. The user may also use a web crawler, spider or robot to attempt to find 
a product, service or information desired. The search engine or web crawler would then 
respond with a list of web sites which matched the search terms the user provided. The 
user would then log onto a web site and view the products or services available for sale. 

10 If the user decides to buy the item from the web site, the firm operating the web site 
would again frequently request a credit card number be entered by the user in order to 
pay for the product or service. Once the credit card charge is approved, the operator 
of the web site will then typically ship the item to the user. In the case where the item 
ordered is digital in format, such as software, graphics, text, video, or music, the item 

15 ordered maybe downloaded into the user's PC, server, laptop, palm computer or other 
processor-based system. 

With the advent of cellular phones with and without wireless access protocol 
(WAP), a user may also "surf the Internet and order goods and services directly 
through the WAP-capable phone or a processor-based system connected to the 

20 cellular phone in a similar manner as that used with a PC. Thus, a user may order 
goods and services from anywhere with a cellular phone, satellite phone, or other type 
of mobile station. Therefore, a person could be sitting in the middle of a remote area, 
many miles away from another human being, let alone a telephone line, and order a 
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video game from a web site on the other side of the planet and download it into his 
palm computer connected to a cellular or a standalone WAP or HTML (Hypertext 
Markup Language) capable phone and play the game on the spot. 

However, the user or consumer may not know who is operating the web site and 
may have a legitimate fear of supplying a credit card number over the Internet to a 
stranger who may or may not deliver the desired product. Further, the user may be 
concerned that the agreed upon price will not be the price actually charged to his credit 
card even when the buyer is dealing directly in a face to face transaction with the seller. 
In addition, there is also the possibility even in a face to face transaction that the buyer 
may be double billed for the same item. Also, in an Internet transaction there is no 
guarantee that the goods will be delivered if the web site operator is less than honest. 

Credit card companies have attempted to resolve the issues related to double 
billing or billing the incorrect amount by providing dispute resolution services in which 
a customer may challenge a charged amount and the credit card company will launch 
an investigation. However, such an investigation may take a long time and the buyer 
is not guaranteed of a satisfactory resolution. In the case of fraud due to a stolen credit 
card, the credit card company will normally limit liability if the card is promptly reported 
as stolen. In the case of a debit card, the bank may not be required to limit liability in 
case of loss or theft. 

Other methods utilized to prevent fraud and error in commercial transactions has 
been through the use of digital signatures that may not be repudiated. In public key 
systems, an entity called the certification authority (CA) performs two central functions: 
issuance and revocation of certificates. A certificate is used to connect a name or an 
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authorization, such as permission to make purchases, to a public signature verification 
key. The certificate is signed by the CA. To verify the certificate an authentic copy of 
CA's public signature verification key is required. For example, assuming a person or 
entity has the public key of a certain CA (CA1). This person or entity can verify 
certificates issued by a certain CA (CA2), only if CA2's public key has been certified by 
CA1 . This type of cross-certification of CAs is referred to as a "public key infrastructure" 
(PKI). Thus, in order for digital signatures to have widespread usage such digital 
signatures require the presence of a global PKI which is difficult to develop since it 
requires contracts and agreements between a large number of parties. Attempts to 
create such a global PKI system have so far met with failure. Public key certificates and 
cross certification are discussed in further detail in Section 13.4.2 "public key 
certificates" and Section 13.6.2 "Trust models involving multiple certification authorities" 
of Handbook of Applied Cryptography bv A. J. Menezes etal., CRC Press 1997, ISBN 
0-8493-8523-7, which are incorporated herein by reference. 

Therefore, what is needed are a system and method which allows a user or 
consumer to pay for goods and services while ensuring that an hacker or criminal may 
not listen in or tap into a payment transaction between a legitimate buyer and seller and 
later use this knowledge to make purchases which are charged to the legitimate user. 
This system and method should further not allow the legitimate user from repudiating 
legitimate charges he has made. This system and method should also prevent a seller 
from forging payment transactions in the name of a legitimate consumer. This system 
and method should also not require the establishment of a new infrastructure in order 
to operate properly. 
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Summary of the Invention 

An embodiment of the present invention provides a method of ordering, paying 
for and delivering goods and services using a mobile station. This method starts by 
authenticating the mobile station is permitted access to a telecom infrastructure. It then 
5 accesses a gateway by the mobile station and transmits an identification code for the 
mobile station to the gateway. This method then requests a digital certificate by the 
mobile station from the gateway used for ordering and paying for a product or service 
from a seller using the certificate. The method then verifies the identity of the mobile 
station by the gateway accessing an authentication center and comparing variables 

JO computed by the mobile station and variables computed by the gateway. It then verifies 
the legitimacy of the gateway by comparing the variables computed by the gateway with 

=_ the variables computed by the mobile station. The method delivers a digital certificate 
to the mobile station by the gateway when the identity of the mobile station and the 
gateway have been verified. It then requests a product or service from a seller and 
15 transmits a digital signature, accompanied by the digital certificate for the signature 
verification key, as payment to the seller. 

Further, an embodiment of the present invention creates a system and computer 
program for ordering, paying for and delivering goods and services using a mobile 
station. This system and computer program uses a GSM authentication module to 

20 verify that the mobile station belongs to a user that can be billed. It also has a mobile 
station certificate acquisition module to request a digital certificate forthe mobile station 
from a gateway and verify that the gateway is authorized to issue the digital certificate 
by comparing variables computed by the gateway and the mobile station. The system 
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and method also has a gateway certificate generation module to verify that the mobile 
station is authorized. This module also transmits an international mobile subscriber 
identifier received from the mobile station to an authentication center, and receives 
information using which it can verify the authenticity of the mobile station by means of 
a challenge-response protocol. Once verified, this module generates and issues a 
digital certificate to the mobile station. 

These and other features of this device and method will become more apparent 
from the following description when taken in connection with the accompanying 
drawings which show, for purposes of illustration only, examples in accordance with the 
present invention. 

Brief Description of the Drawings 

The foregoing and a better understanding of the present invention will become 
apparent from the following detailed description of exemplary embodiments and the 
claims when read in connection with the accompanying drawings, all forming a part of 
the disclosure of this invention. While the foregoing and following written and illustrated 
disclosure focuses on disclosing example embodiments of the invention, it should be 
understood that the same is by way of illustration and example only and the invention 
is not limited thereto. The spirit and scope of the present invention are limited only by 
the terms of the appended claims. 

The following represents brief descriptions of the drawings, wherein: 
FIG. 1 is an example of an overall system diagram of an embodiment of the 
present invention; 
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FIG. 2 is a diagram of the messages passed between a mobile station, a 
gateway, and a home location register (HLR) that contains or is connected to an 
authentication center (AUC) so that the buyer maybe authenticated and ultimately 
receive a certificate which may be used to purchase goods and services; 
5 FIG. 3 is a flowchart of the mobile stations certificate acquisition module shown 

in FIG. 12 as utilized in an embodiment of the present invention; 

FIG. 4 is diagram showing a Global Standard for a Mobile (GSM) 
communications authentication algorithm used in the example embodiments of the 
present invention; 

= 1 0 FIG. 5 is a flowchart of the gateway certificate generation module shown in FIG. 

- 12 as utilized in an embodiment of the present invention; 

FIG. 6 is a diagram of the messages that pass between the mobile station and 
the seller in order to facilitate the purchase and payment of goods and services as 
utilized in an example embodiment of the present invention; 
1 5 FIG. 7 is a flowchart of a buyer purchase module shown in FIG. 1 2 as utilized by 

an embodiment of the present invention; 

FIG. 8 is a flowchart of the seller sales module, shown in FIG. 12, as utilized by 
an embodiment of the present invention; 

FIG. 9 is a diagram of the messages passed between the seller and the gateway 
20 in order to facilitate payment to the seller for services and goods provided the buyer in 
an example embodiment of the present invention; 

FIG. 10 is a flowchart of the seller billing module, shown in FIG. 12, as utilized 
in an example embodiment of the present invention; 
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FIG. 1 1 is a flowchart of the gateway billing module, shown in FIG. 1 2, as utilized 
in an example embodiment of the present invention; and 

FIG. 12 is a modular configuration diagram of the embodiments of the present 
invention shown in FIGs. 3-5, 7, 8, 10, and 11. 

5 



9 
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DETAILED DESCRIPTION 

Before beginning a detailed description of the invention, mention of the following 
is in order. When appropriate, like reference numerals and characters maybe used to 
designate identical, corresponding or similar components in differing figure drawings. 
5 Further, in the detailed description to follow, exemplary sizes/models/values/ranges may 
be given, although the present invention is not limited to the same. 

:i FIG. 1 illustrates an example of an overall system diagram of an embodiment of 

the present invention. In this example embodiment a mobile station (MS) 20 acts as 
an interface for the user, buyer or consumer 10 for access to the present invention. 

:10 This mobile station (MS) 20 may be a WAP-capable cellular telephone, a Hypertext 
Markup Language (HTML) capable cellular telephone, or a cellular telephone with a 
processor-based system connected to it. This processor-based system may be, but not 
limited to, a laptop computer, palm computer, or other portable computing devices 
including the WAP-capable telephone alone. The mobile station (MS) 20 
1 5 communicates through the telecom infrastructure 30 to a local network operator service 
70 through a gateway 60. Telecom infrastructure 30 may be, but not limited to a cellular 
telephone control protocol, such as GSM (Global System for Mobile Communications) 
telephony system, and internet protocol (IP) over wireless local area network (LAN) or 
any other suitable access protocol. The interface between the mobile station 10 and 
20 the seller 50 is to communications infrastructure 35 which may be, but not limited to, a 
direct physical connection, correct short range radio frequency (RF) connection, an IP 
connection, or any other suitable means of communication. In turn the seller 50 may 
communicate to the gateway 60 and thus the local network operator service 70 through, 
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but not limited to, an internet protocol packet-switched network, a dial-up line over the 
public switched telephone network, or any other suitable means of communications. 
Therefore, the embodiments of the present invention are not limited to communications 
using the Internet. Further, the local network operator service 70 may communicate to 
5 the buyer's 1 0 home network operator service 80 directly through the PSTN or via the 
Internet. In addition, the home network operator service 80, the local network operator 
service 70 and a gateway 60 are all considered part of the mobile telephone 
infrastructure for billing and authentication 90 which serves to facilitate the purchase of 
goods and services. 

; 10 In FIG. 1 it should be noted that the assumption is made that user 10 is not 

~- within the home network operator service 80 area. However, the embodiments of the 
present invention will operate when the user 1 0 is in the home network operator service 
80 area and thus the home network operator service 80 and the local network operator 
service 70 may be one and the same entity. 
15 When the user or consumer 10 is not in his home network operator service 80 

area, the user 1 0 may still make purchases from seller 50 if a roaming agreement exists 
between the local network operator service 70 and the home network operator service 
80. Further, the seller 50 may be anyone selling a good or service from a street flower 
vendor to a department or clothing store. The seller 50 may also be a seller of software 
20 or other digital products and may have a store front or may have a web site on the 
Internet 40. The only restriction on the seller 50 is that he be permitted by the local 
network operator service 70 to accept digital payment certificates from a buyer 1 0 and 
submit them to the local network operator service 70 for payment. If the user or buyer 
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10 is outside of his home network operator service 80 area, the local network operator 
service 70 will submit an accounting record of the transaction between buyer 10 and 
seller 50 to the user's 10 home network operator service 80 for billing on the user's 10 
telephone bill. 

5 Still referring to FIG. 1 , using the present invention it is possible for a buyer 10 

to utilize mobile station 20 similarly to a credit card to pay for goods and services 
wherever the user's home network operator service 80 has established a roaming 
agreement with the local network operator service 70. As with the major credit cards, 
this could someday be worldwide if a universal cellular phone standard is established. 

1 0 As will be discussed ahead, the use of the present invention eliminates the possibility 
of double billing a buyer 10 for a product or service or submitting an incorrect price for 
payment for a particular good or service. Further, since digital signatures cannot be 
forged by any party that do not have access to the signing key, and since the signing 
key is never released outside the mobile station 20, it would be impossible for a third 

15 party eavesdropper, hacker, criminal, or the seller to either undetectably modify 
payment messages generated by a legitimate payer, or generate bogus payment 
messages purportedly coming from a legitimate payer. In addition, the buyer or user 
10 may utilize mobile station 20 wherever his home network operator service 80 has 
established a roaming agreement and his mobile station 20 can interface to the local 

20 network operator service 70. 

A discussion will now be supplied involving the logic employed in the 
embodiments of the present invention. Specifically, a discussion will be provided of the 
flowcharts and diagrams illustrated in FIGs. 2 through 1 1 and the modular configuration 
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diagram provided in FIG. 12. The flowcharts and diagrams shown in FIGs. 2 through 
12, as well as the modular configuration diagram shown in FIG. 12 contain operations 
that correspond, for example, to code, sections of code, instructions, firmware, 
hardware, commands or the like, of a computer program that is embodied, for example, 
on a storage medium such as floppy disk, CD Rom, EP Rom, hard disk, etc. Further, 
the computer program can be written in any language such as, but not limited to, for 
example C++. 

Embodiments of the present invention use the GSM (Global System for Mobile 
Communications) telephony system that employs algorithms in the mobile station (MS) 
20, such as, but not limited to, cellular phones and WAP-capable cellular phones, and 
the a mobile telephone infrastructure for billing and authentication 90 which controls 
authentication of the user 10 and mobile station 20 to prevent unauthorized access to 
the network and to provide encryption of the transmissions between users. The GSM 
System is described in depth in the publication, "The GSM System for Mobile 
Communications" by Mouly and Pautet, Copyright 1992, which publication is 
incorporated herein by reference in its entirety. Security features of the GSM system 
are described in pages 477 through 498 of the Mouly and Pautet text. Further detail of 
the GSM system security is provided in ETSI publication TS 100 929 V.6.1.0 (1999) 
entitled "Digital cellular telecommunications system (Phase 2+); Security related 
network functions" (GSM 03.20 version 6.1.0 Release 1997), which is incorporated 
herein by reference in its entirety. The usage of the GSM system in the present 
invention will be discussed in further detail in relation to the FIGs. 2-12 and in particular 



13 



ATSK Reference No.: 017.38633X00 
Nokia Reference No.: 18746 

to FIG. 4. However, it should be noted that any other GSM like system may be used 
that authenticates a mobile station 20 for access to a telecom infrastructure^©. 

FIG. 2 is a diagram of the messages passed between a mobile station 20, a 
gateway 60, and a home location register (HLR) authentication center (AUC) located 
5 in the home network operator service 80. In the following discussion, curly brackets { 
} indicate a set of one or more items, and square brackets [ ] indicate an optional item. 
5 The messages 210 through 260 enable mobile station 20, and thus a buyer 10, to 
n receive a digital certificate which enables the buyer 1 0 to purchase and pay for goods 
4 and services from seller 50. A total of four messages are exchanged between mobile 
10 station 20 and gateway 60, while two messages are exchanged between gateway 60 
:j and HLR/AUC 100. These messages will be discussed in further detail in reference to 
FIGs.3and5. However, to summarize, message 210 is transmitted from mobile station 
3 20 to gateway 60 and contains a session identification (SID) and an international mobile 
subscriber identifier (IMSI). The IMSI is a unique identification number supplied for 
1 5 each mobile station 20 by the home network operator service 80 upon initial signing of 
a contract for service. The SID is a number assigned by the mobile station 20 and used 
to identify this particular session. The gateway 60 in turn stores the SID and IMSI in its 
local memory and transmits the IMSI in message 220 to the HLR/AUC 100 contained 
within home network operator service 80. The gateway 60 is able to identify which HLR 
20 /AUC 100 it needs to transmit the IMSI to based on information contained within the 
IMSI. As will be discussed in further detail in reference to FIG. 4, the HLR/AUC 100 
responds with message 230 containing a random number (RAND) 410, a signed 
response (SRES) 450, and an encryption key (Kc) 400. The gateway 60 takes the Kc 
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400 and uses it to compute an integrity key (K) based on the formula K = f ({Kc}), where 
f is a cryptographic one-way hash function known both to the gateway 60 and to the 
mobile station 20. The gateway 60 would then store the SID, IMSI, RAND 440, SRES 
450 and K in a single record in the gateway's 60 memory. Thereafter, message 240 
5 is sent from the gateway 60 to the mobile station 20 and contains RAND 440 and M1 . 
M1 is computed based upon a message authentication code (MAC) function using 

2 s integrity key (K) And RAND 440. The formula used is represented as M1 = MAC (K, 
{RAND}). The purpose of a MAC is to facilitate, without the use of any additional 
mechanisms, assurances regarding both the source of a message and its integrity 

JO MACs have two functionally distinct parameters, a message input ({RAND}) and a 
secret key (K). MAC functions are discussed in further detail in sections 9.5 "keyed 

= hash functions (MACs)" and 9.6.3 "Data Integrity Using MAC Alone" of Handbook of 
Applied Cryptography by A. J. Menezes et al., CRC Press 1997, ISBN 0-8493-8523-7, 
which are incorporated herein by reference. Upon receipt of the RAND 440 and M1 

1 5 variables, the mobile station 20 computes SRES 450 and Kc 400 based on RAND 440 
and secret key (Ki) 410. Ki 41 0 is a secret key installed by the home network operator 
service 80 in the mobile station 20 upon signing up for a service plan. The mobile 
station 20 also computes the integrity key (K) using the formula K = f({Kc}). The 
computation of Kc 400 is discussed in further detail in reference to FIG. 4. 

20 Still referring to FIG. 2, mobile station 20 responds to the receipt of message 240 

by the generating message 250 and transmitting message 250 to gateway 60. 
Message 250 includes SRES 450, a public key (PK), any restrictions, an alias, and M2. 
The public key (PK), provided by mobile station 20, is used to generate digital 
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signatures for user 10 which act as approvals for charges made in the purchase of 
goods and services. Both the restrictions and alias are optional items. Restrictions 
refer to limitations on transactions that may be placed. For example, user or buyer 1 0 
may be protected from a loss or theft of mobile station 20 by limiting the amount of any 
5 given purchase, the number purchases that can be made within a particular time frame, 
or the time period within which the public key is valid. The alias is an alternate 
identification for the mobile station 20. M2 is computed based upon another MAC 
function utilizing the variables K, SRES 450, PK, restrictions, and the alias. The specific 
formula for computation of M2 is M2 = MAC (K, {SRES}, PK, [{restrictions}], [alias]). 
;10 Upon receipt of message 250, the gateway 60 generates a digital certificate (C) and 
^ stores in a record in memory the SID, IMSI, f (RAND, SRES, K), PK, restrictions, alias, 
. - and digital certificate (C). Thereafter, the gateway 60 computes M3 which is based on 
-.. formula M3 = MAC (K, C). Then in message 260, the gateway 60 transmits the 
message 260 containing the digital certificate (C) and M3 to the mobile station 20. The 
1 5 digital certificate (C) may then be used to purchase goods and services from seller 50. 

In an alternate embodiment of the messages shown in FIG. 2, it is possible to 
enhance security of the present invention by encrypting the IMSI in message 21 0 using 
a public key supplied by the gateway 60 or some other server. In this manner it is less 
likely that the IMSI would be intercepted by a third party. 
20 In a still further alternate embodiment of the messages shown in FIG. 2, it is 

possible to have the SID jointly selected by the mobile station 20 and the gateway 60. 
In this manner, tracking of the certificate in message 260 and associating it to the SID 
may be simplified for the gateway 60. 
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In another alternate embodiment of the messages shown in FIG. 2, it is possible 
to drop the SRES 450 in message 250 since it is already required to generate a correct 
M2. 

In another embodiment of the messages shown in FIG. 2, it is possible for the 
5 HLR to compute the integrity key K and send it as part of message 230 to the gateway. 
In this case, as an alternative embodiment, instead of the integrity key (K) computed 
as a function of the set of encryption key (Kc) 400, it may be computed directly from the 
secret key (Ki) 410 and the random number (RAND) 440. 

In another embodiment of the messages shown in FIG. 2, the public key (PK) 
10 may be a long term public key stored in the authentication center (AUC). In this case, 
PK is included in message 230, and need not be included in message 250. 

In still another embodiment of the messages shown in FIG. 2, the public key (PK) 
of the local network operator service 70 (denoted as PK_G) can be included in 
message 260. This allows the mobile station 20 to verify certificates that were issued 
1 5 by the operator to other entities such as sellers 50. It also allows the mobile station 20 
to verify certificates that were issued to other mobile stations 20, thereby allowing the 
first mobile station 20 to act as a seller. Therefore, a mobile station 20 may act in one 
instance as a buyer and in the next instance as a seller. This would be most suitable 
when the product being sold is a digital product. However, any good or service may be 
20 sold this way. 

A discussion will now be provided for FIGs. 3 through 5 detailing the exchange 
of messages as shown in FIG. 2. FIG. 3 is a flowchart of the mobile station certificate 
acquisition module 1500 shown in FIG. 12. The mobile station certificate acquisition 

17 
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module 1500 is used to generate messages 210 and 250 shown in FiG. 2. The mobile 
station certificate acquisition module 1500 also receives and processes messages 240 
and 260 from a gateway 60, as shown in FIG. 2. The mobile certificate acquisition 
module 1500 includes operations 300 through 430 shown in FIG. 3. 
5 Referring to FIG. 3, the mobile station certificate acquisition module 1 500 begins 

execution in operation 300 and immediately proceeds to operation 310. In operation 
310, a SID is generated which is a unique number identifying a session. In addition, the 
IMSI representing the international mobile subscriber identifier is retrieved and along 
with the SID is transmitted to gateway 60 in message 210. Thereafter, in operation 320, 

TO the mobile station 20 will wait for receipt of message 240 from gateway 60. Upon 
arrival of message 240, processing will then proceed to operation 330. As previously 
discussed, message 240 contains a random number (RAND), and M1. M1 was 
computed by the gateway 60 utilizing a integrity key (K) and a random number (RAND) 
received from the HLR/AUC 100. In operation 330, mobile station 20 computes M1\ 

15 M1' is computed in the same manner by the mobile station 20 as M1 was computed by 
gateway 60 with the exception that encryption key (Kc) 400 is contained within the 
mobile station 20 itself and is used to compute integrity key (K). Utilizing the same 
formula used by the gateway 60, the mobile station 20 is able to compute M1'. The 
formula utilized is M1' = MAC (K, {RAND}). Therefore, in operation 340 a comparison 

20 is made between M1 received from gateway 60 and M1 ' computed by the mobile station 
20. This comparison is done in order to assure the mobile station 20, and thus user 1 0, 
that the source of message 240 is a legitimate portion of the GSM system. If M1 is not 
found to equal MV in operation 340, then processing proceeds to operation 350 where 



ATSK Reference No.: 017.38633X00 
Nokia Reference No.: 18746 

execution of the mobile station certificate acquisition module 1500 is aborted and 
processing terminates. If operation 350 is executed the assumption is that message 
240 has been corrupted or that a gateway 60 is being impersonated by an unauthorized 
individual. 

5 Still referring to FIG. 3, if M1 =M1',then processing proceeds from operation 340 

to operation 360. In operation 360, M2 is computed. As previously discussed, M2 is 

= computed based upon a MAC function utilizing the variables K, SRES 450, PK, 
restrictions, and the alias. The specific formula for computation of M2 is M2 = MAC (K, 
{SRES}, PK, [{restrictions}], [alias]). Thereafter, message 250 is generated containing 

10 SRES, PK, restrictions, alias, and M2 and is transmitted to gateway 60. In operation 
380 the mobile station 20 waits for receipt of message 260 from gateway 60. Upon 
receipt of message 260 from gateway 60 processing then proceeds to operation 390. 
In operation 390, M3' is computed as previously discussed above in reference to FIG. 
2. M3' is computed in the same manner as M3 was computed by the gateway 60 based 

15 on formula M3 = MAC (K, C) with the exception that encryption key (Kc) 400 is 
contained within the mobile station 20 itself and is used to compute integrity key (K). 
Thereafter, processing proceeds to operation 400 where M3' is compared against M3 
received in message 260 from gateway 60. If it is determined in operation 400 that M3' 
does not match M3, then processing proceeds to operation 410. In operation 410, 

20 processing of the mobile station certificate acquisition module 1500 is terminated. 
When M3' does not match M3, it is assumed that message 260 has been corrupted or 
that an unauthorized individual is impersonating a gateway 60. However, if M3' does 
match M3 in operation 400, then processing proceeds to operation 420. In operation 
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420, the certificate received in message 260 is stored in the memory of mobile station 
20. This certificate may be used, within any associated restrictions, for the purchasing 
of goods and services from seller 50. Thereafter, processing for the mobile station 
certificate acquisition module 1500 terminates in operation 430. 
5 FIG. 4 further details authentication in a GSM network performed by the 

generation of a signed response (SRES) 450 by both the mobile station (MS) 20 and 
the home network operator service 80 and gateway 60 which is a function of a unique 
secret key (Ki) 410 of the mobile station 1 0 and a random number (RAND) 450 as used 
in the logic shown in FIGs. 3 and 5. The signed response (SRES) 450 is calculated in 

-10 a subscriber identification module (SIM) (not shown) located in the mobile station (MS) 
20, based on Ki 410 inside the SIM and RAND 440 obtained from the network 
authentication center (AUC) (not shown) in the home network operator service 80. 

] Additionally, the mobile station (MS) 20 and the authentication center in the home 
network operator service 80 each generate a ciphering key (Kc) 400 which is a function 

15 of the same random number RAND 440 and the secret key (Ki) 410 of the mobile 
station 20. This authentication process is a two stage process which employs two 
algorithms. The first algorithm, which calculates SRES 450, is known as the A3 
algorithm module 420 and the second, key generation, algorithm which computes Kc 
400, which is computed each time a mobile station 20 is authenticated, is known as the 

20 A8 algorithm module 430. However, each of the operations of authentication and 
computing of the ciphering key (Kc) 400 requires the mobile station (MS) 20 to be 
programmed to perform the aforementioned computations. 
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Still referring to FIG. 4, the mobile switching center (not shown) located in the 
local network operator service 70 authenticates the mobile station 20 whenever a new 
mobile station (MS) 20 registers with the mobile telephone infrastructure for billing and 
authentication 90 and whenever a registered mobile station (MS) 20 turns on the power. 
5 Authentication in a GSM system is based on a secret key (Ki) 31 0 that is shared by the 
home network operator service 80 and the subscriber and which is different for each 
subscriber. The home network operator service 30 keeps the key Ki 41 0 in the AUC and 
the subscriber has Ki 410 installed within SIM card of the mobile station 20, which he 
receives from the home network operator service 80 when the subscription contract is 

10 made. To protect the secrecy of Ki 410, the SIM is made so that the mobile station 
(MS) 20 cannot directly access the value of Ki 410, and can only initiate certain 
computations in the SIM that use Ki 410 and then receive the results of those 
computations. Similarly, the elements of the mobile telephone infrastructure for billing 
and authentication 90, such as home location register (HLR) cannot access subscribers' 

15 keys Ki 410 directly. These network elements may only request from the AUC a result 
of computations that use Ki 410 as discussed above. These computations are an A3 
algorithm module 420 and an A8 algorithm module 430 and are identical in the SIM of 
the mobile station (MS) 20 and in the AUC in the home network operator service 80. 
The foregoing mentioned GSM authentication process is a two stage process. 

20 In the first stage of GSM authentication, a local network operator service 70 element, 
which is typically a MSC/VLR (Mobile services Switching Center/Visitor Location 
Register), receives an International Mobile Subscriber Identifier (IMSI) from the mobile 
station (MS) 20 and requests from the AUC of the home network operator service 80 
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one or more triplets. These triplets are composed of RAND 440, SRES 450, and Kc 
400. This process begins by the mobile station 20 sending an International Mobile 
Subscriber Identifier (IMSI) to MSC/VLR in the local network operator service 70. The 
MSC/VLR then requests authentication triplet(s) (RAND 440, SRES 450, and Kc 400) 
5 from the AUC in the home network operator service 80. The AUC, in the home network 
operator service 80, computes one or more triplets (RAND 440, a SRES 450, and a Kc 
400) and sends them to the MSC/VLR in the local network operator service 70. 

In the second stage of GSM authentication, the MSC/VLR of the local network 
operator service 70 authenticates the mobile station (MS) 20 by the MSC/VLR in the 

.1 0 local network operator service 70 sending to mobile station 20 an authentication request 
(RAND) in which the message contains a RAND 140. The MS 20 then sends to the 
SIM, contained within MS 20, a run GSM algorithm (RAND) request message which 
again contains RAND 440. In operation 260, MS 20 sends to the SIM a get response 
message. Thereafter, the SIM replies with a response having a SRES 450 and Kc 400. 

15 Then MS 20 stores Kc 400 in the SIM by sending to the SIM a write (Kc) request in 
which the message contains Kc 400. The MS 20 sends to MSC/VLR a Radio Interface 
Layer 3, Mobility Management (RIL 3-MM) protocol authentication response in which 
the SRES 450 is contained in the message. After receiving the message the MSC/VLR, 
in the local network operator service 70, compares SRES 450 that it has received from 

20 the AUC in the home network operator service 80, in stage one of GSM authentication 
discussed the SRES 450 received from the MS 20. If the values of the SRES 450 are 
determined not to be identical then authentication fails and service is not established. 
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However, if the values are identical then authentication succeeds and service is 
established for the MS 20. 

FIG. 5 is a flowchart of the gateway certificate generation moduie 1600, shown 
in FIG. 12, as utilized in an embodiment of the present invention. The gateway 
5 certificate generation module 1600 is the counterpart of the mobile station certificate 
acquisition module 1500 and serves to generate a digital certificate required by buyer 
10 in order to make purchases from seller 50. The gateway certificate generation 
module 1600 begins execution in operation 500 and immediately proceeds with 
operation 510. In operation 510, the gateway 60 awaits transmission of message 210 

10 from mobile station 20. Upon receipt of message 210 from mobile station 20, the 
gateway 60 stores in local memory the SID and IMSI contained in message 210 and 
processing proceeds to operation 520. In operation 520, the gateway 60 generates 
message 220 containing the received IMSI. Based on IMSI, the gateway 20 knows 
which HLR/AUC the mobile station 20 is associated with and can thereby transmit 

15 message 220 thereto. Thereafter, processing proceeds to operation 536 where the 
gateway 60 waits for the receipt of message 230 from the HLR/AUC 100. The 
HLR/AUC 100 upon receipt of message 220 will reply with one or more triplets. These 
triplets contain RAND 440, SRES 450, and Kc 400. The gateway 60 will then proceed 
to compute M1 in operation 540 as previously discussed. M1 is computed based upon 

20 a message authentication code (MAC) function using integrity key (K) And RAND 440. 
The formula used is represented as M1 = MAC (K, {RAND}). Integrity key (K) is 
computed based on Kc 400 received from HLR/AUC 1 00 using the formula K = f ({Kc}). 
Processing them proceeds to operation 550 where message 240 is generated and 
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transmitted to mobile station 20. As previously discussed, message 240 contains 
RAND 440 and M1. Thereafter, processing proceeds to operation 560 where the 
gateway 60 waits for message 250 from mobile station 20. Upon receipt of message 
220 processing proceeds to operation 570 where M2' is computed. M2' is computed 
5 based upon a MAC function utilizing the variables to K, SRES 450, PK, restrictions, and 
the alias. The specific formula for computation of M2' is M2' = MAC (K, {SRES}, PK, 

= : [{restrictions}], [alias]). Processing them proceeds to operation 580 where a 

\- comparison is made between M2, received in message 250, and M2 r computed by 
gateway 60. If M2' and M2 do not match then processing proceeds to operation 590 

M0 where the execution of the gateway certificate generation module 1600 is aborted. 
However, if M2' and M2 match then processing proceeds to operation 600. In operation 

\ ' 600, M3 is computed by the gateway 60. The gateway 60 computes M3 based on the 
formula M3 = MAC (K, C). In operation 61 0, message 260 containing the certificate and 
M3 are transmitted to the mobile station 20. Thereafter, processing terminates for the 

15 gateway certificate generation module 1600 in operation 270. 

Upon termination of the mobile station certificate acquisition module 1500 along 
with its counterpart, gateway certificate generation module 1600, the mobile station 20 
has in its possession a certificate which buyer 10 may use to purchase goods and 
services from seller 50. FIGs. 6 through 8 illustrate the processing involved by the 

20 embodiment of the present invention in order for buyer 10 to make purchase from seller 
50. 

FIG. 6 is a diagram of the messages passed between the mobile station 20 and 
the seller 50 in order to facilitate the purchase and payment of goods and services as 
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utilized in an example embodiment of the present invention. A total of two messages 
are sent by the mobile station 20 to seller 50. The messages sent from mobile station 
20 to seller 50 include message 610 and message 630. Seller 50 in turn respond with 
message 620 and message 640. Message 610 contains a certificate received from 
5 gateway 60 and a request for a particular product or service. Message 620 is an 
invoice transmitted from seller 50 to mobile station 20. This invoice serves to notify 
o buyer 10 through mobile station 20 of the price of the item requested. The invoice 
V] contains a seller-specific unique transaction identifier, chosen by the seller 50, and the 
f j: identity of the seller 50, as assigned by the gateway 60. Message 630 includes a digital 
JO signature which serves to authorize charging the price of the invoice against the 
□ certificate supplied. Message 640 includes the delivery of the product to the mobile 
M station 20. In the foregoing discussion of messages 610 through 640 it has been 
O assumed that the product or service requested is in digital format that could be 
downloaded to mobile station 20. However, as previously discussed the product or 
15 service an individual buyer 10 may request may be anything including such tangible 
items as flowers and clothing. In the case where the product is a tangible item and 
buyer 10 and seller 50 face each other, then the request may take the form of an oral 
request and the delivery may take the form of handing over the flowers or other product. 
In an alternate embodiment of the message configuration shown in FIG. 6, it is 
20 possible for message 61 0 to contain the request only, and message 630 to contain both 
the signature and the certificate. In this manner the seller sales module 1800, 
discussed in detail ahead, verifies the certificate and signature at the same time. 
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In a further alternate embodiment of the message configuration shown in FIG. 
6, it is possible to charge for use of a product, such as a software based game, by the 
time of usage and not for mere delivery of the product. One method for implementing 
this would be for several messages 620 to be sent to the mobile station 20 at periodic 
5 time intervals. For example, if buyer 10 requests a game and it is downloaded, an initial 
invoice would be sent, after which a new invoice will be sent every five minutes. 

: FIG. 7 is a flowchart of a buyer purchase module 1700 shown in FIG. 12 as 

utilized by an embodiment of the present invention. The buyer purchase module 1 700 
includes operations 700 through 770 shown in FIG. 7. When a buyer 10 initiates a 

1 0 purchase of an item from seller 50, the buyer purchase module 1 700 begins execution 

: in operations 700 and immediately proceeds to operation 710. In operation 710 the 
mobile station 20 transmits message 610 to seller 50. The mode of transmission may 
be any form of digital communications. Thus, if the seller 50 is a web site, then mobile 
station 20 would access seller 50 through the cellular access network, via a gateway 

15 (such as a WAP gateway), and then through the Internet. However, if a face-to-face 
transaction is occurring between buyer 10 and seller 50 then communications between 
mobile station 20 and seller 50 may include any short range form of communications 
including cable, infrared, low-power radio frequency, or any other suitable means. 

Still referring to FIG. 7, in operation 720 mobile station 20 will wait for receipt of 

20 message 620 from seller 50. Upon receipt of message 620 processing then proceeds 
to operation 730. In operation 730 the buyer 10 checks the invoice price to determine 
if it is valid. In operation 740, a determination is made whether invoice (I) is correct. 
If invoice (I) is not correct processing proceeds to operation 750 where processing of 
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the buyer purchase module 1700 is terminated. However, if the invoice (I) is correct 
then processing proceeds to operation 750. In operation 750, the buyer 10 digitally 
signs the invoice using a secret key (Ki) 410 and the signature is returned in message 
630. Thereafter, processing proceeds to operation 760 where mobile station 20 awaits 
5 delivery of message 640. In the case where the product being delivered by seller 50 
is a digital product, operation 760 would be executed. However, where the product 
being delivered is a tangible product, such as a basket of flowers, operation 760 may 
simply be the handing over that product to buyer 10 from seller 50. Thereafter, the 
buyer purchase module 1700 terminates execution in operation 770. 

10 FIG. 8 is a flowchart of the seller sales module 1800, shown in FIG. 12, as 

utilized by an embodiment of the present invention. The seller sales module 1800 is 
counterpart to the buyer purchase module 1700 and is utilized to check the validity of 
the digital certificate received from the buyer purchase module 1700. 

Referring FIG. 8, the seller sales module 1800 includes operations 800 through 

15 operation 905. The seller sales module 800 begins execution in operation 800 and 
immediately proceeds to operation 810. In operation 810, the seller sales module 1800 
waits for receipt of message 610 containing the certificate and service request. Upon 
receipt of message 610, processing proceeds to operation 820 where the validity of the 
certificate is verified and it is checked that any optional restrictions are not violated. 

20 Thereafter, in operation 830 the result of digital certificate verification is checked. This 
verification of the digital certificate is done online so that the seller 50 may determine 
whether the digital certificate provided by buyer 10 is still valid. The situation may arise 
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where a certificate is issued by gateway 60 and later revoked when the subscriber 
reports a loss or theft of mobile station 20. 

Still referring to FIG. 8, If the certificate is not valid then processing proceeds to 
operation 845 where the execution of the seller sales module 1800 is terminated. 
5 However, if the certificate is valid, then processing proceeds to operation 840. In 
operation 840, it is determined whetherthe requested service complies with the optional 
restrictions applied. If the requested service does not comply with restrictions then 
again processing proceeds operation 845 where execution of the seller sales module 

'." 1800 terminates. However, if the restrictions are violated, then processing proceeds 

-10 to operation 850. In operation 850, the invoice (I) is sent in message 620 to mobile 
station 20. In operation 860, the seller sales module 1 800 waits for receipt of message 
630. Upon receipt of message 630 containing signature (S), operation 870 checks the 

;i signature (S). Thereafter, in operation 880, a determination is made if signature (S) is 
valid. If the signature is not valid the processing again proceeds to operation 845 where 

15 the seller sales module 1800 is terminated. However, if the signature is valid, 
processing proceeds to operation 890 where the seller 50 creates an accounting record 
(AR) and stores it in the seller's 50 local database. Thereafter, processing proceeds 
to operation 900 where the seller 50 proceeds to deliver the product or service desired. 
This may be done through the transmission of message 640 where the product is a 

20 digital product. Finally, the seller sales module 1 800 terminates execution in operation 
905. 

FIGs. 9 through 1 1 illustrate the process whereby the seller 50 is able to receive 
payment for products and services sold using the embodiment of the present invention. 

28 



ATSK Reference No.: 017.38633X00 
Nokia Reference No.: 18746 

FIG. 9 is a diagram of the messages passed between the seller 50 and the 
gateway 60 in order to facilitate payment to the seller for services and goods provided 
to the buyer 10 in an example embodiment of the present invention. Only two 
messages are exchanged between seller 50 and gateway 60. Message 910 simply 
5 contains the current records accumulated by seller 50 within a finite period of time. 
However, as would be appreciated by one of ordinary skill in the art, each time an 

: accounting record is generated it may be transmitted to gateway 60. Message 920 is 
a response supplied by gateway 60 to seller 50 indicating acceptance or rejection of the 
accounting records transmitted. 

-10 FIG. 10 is a flowchart of the seller billing module 1900, shown in FIG. 12, as 

utilized in an example embodiment of the present invention. The seller billing module 
9000 includes operations 1000 through 1160 shown in FIG. 10. The seller billing 
module 9000 begins execution in operation 1000 and immediately proceeds to 
operation 1010. In operation 1010, variable i is set to 0. In operation 1020 a 

15 determination is made if any records remain that have not been incorporated into 
message 910. If no records are left then processing proceeds to operation 1 030 where 
the seller billing module 1 900 terminates execution. However, if no accounting records 
remain to be processed then processing proceeds to operation 1040 or they are placed 
in message 910. Thereafter, in operation 1050 i is incremented by 1. In operation 

20 1060, a determination is made if any records remain to be processed. If records remain 
to be processed then processing proceeds operation 1070. In operation 1070, it is 
determined whether the variable i is less than the variable n which represents the 
maximum number of accounting records that may be put in message 910. If i is less 
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than n then processing loops back to operation 1040 for further processing. However, 
if i is not less than n, then processing proceeds to operation 1080. In operation 1080 
message 910 containing the accounting records is sent to seller 50. Thereafter, 
processing proceeds to operation 1090 where seller 50 awaits return of message 920 
5 from gateway 60. Upon receipt of message 920 processing proceeds to operation 
1110. In operation 1110, the responses from gateway 60 are accepted. In operation 
1120, it is determined whether the response received indicates confirmation and thus 
an approval of the accounting record and payment thereof. If the responses are not 
confirmed in operation 1120, processing proceeds to operation 1130 where the 

=10 accounting record is added to the error log. The error log would then be examined at 
some later point in time to determine the proper course of action. However, if the 
response equals a confirmation, then processing proceeds to operation 1 1 40 where the 

l[ accounting record is entered into a local internal log. Thereafter, in both the case of 
operation 1 130 and 1 140, processing proceeds to any unprocessed responses left in 

1 5 message 920. If there are any unprocessed responses, then processing loops back to 
operation 1110. However, if all responses have been processed, then processing 
proceeds to operation 1160 where execution of the seller billing module 1900 is 
terminated. 

FIG. 1 1 is a flowchart of the gateway billing module 2000, shown in FIG. 12, as 
20 utilized in an example embodiment of the present invention. The gateway billing 
module 2000 is utilized to credit seller 50 with funds for purchases made by buyer 10 
using mobile station 20. The gateway billing module 2000 also serves to verify the 
existence of a corresponding buyer's record containing the digital certificate created by 
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gateway certificate generation module 1 600. Further, the gateway billing module 2000 
also verifies the validity of the signature generated by the buyer purchase module 1 700. 
As will be discussed in further detail ahead, using the verification of the digital certificate 
and the signature it is possible to insure that the buyer 10 is paying the correct amount 
5 for the purchase and that the buyer 10 is only being billed once. 

The gateway billing module 2000 includes operations 1200 through 1340 shown 
in FIG. 1 1 and begins execution in operation 1200. The gateway billing module 2000 
upon startup in operation 1200 immediately proceeds to operation 1210. In operation 
1210, the gateway billing module 2000 waits for the transmission and arrival of 
>10 message 910 from the seller billing module 1900. In operation 1220, the message 910 
'=[- is received from the seller 50 and processing proceeds to operation 1 230. In operation 
f 1230, an accounting record (AR) is extracted from message 910. Processing then 
V: proceeds to operation 1235 where it is determined whether this particular accounting 
record has previously been submitted. If the accounting record has previously been 
15 submitted then processing proceeds to operation 1300 were an error response is 
generated. However, if this particular accounting record has not been previously 
processed, then processing proceeds to operation 1240. In operation 1240, the 
gateway 60 database is searched to find a corresponding record of the digital certificate 
for this sale. In operation 1250 a determination is made whether a record has been 
20 found. If no record is found then processing proceeds to operation 1300 where an error 
response for this particular accounting record is stored for transmission in message 920 
to seller 50. However, if a corresponding record is discovered then processing 
proceeds to operation 1260. 
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Still referring to FIG. 1 1 , the gateway billing module 2000, executing on gateway 
60, proceeds to perform the second check to determine if the accounting record is 
correct. In operation 1260, the signature of buyer 10 is checked. Further, the 
associated restrictions for the digital certificate are checked to determine if this 
5 accounting record violates any of these restrictions. In operation 1270, if either 
signature cannot be verified or if any restrictions are violated then processing proceeds 

: "= to operation 1300 where an error response for this particular accounting record is stored 
for transmission in message 920. However, if the signature is verified and the 

'V restrictions are not violated then processing proceeds to operation 1280. In operation 

=10 1 280, a call detailed record (CDR) is stored in the gateway 60 database so that at some 

: later time the seller 50 may be paid for all purchases by buyer's 10 for that period of 
time. Further, the call detailed report is also charged to the buyer's 1 0 account for that 

; period of time. In GSM network this is done by sending the CDR from local operator 
to the home operator; the home operator then adds the transaction indicated in that 

15 CDR to buyer's phone bill. Thereafter, in operation 1290, the response for this 
accounting record is confirmed and stored as such for transmission in message 920 to 
the seller 50. Thereafter, processing proceeds from both operations 1290 and 1300 to 
operation 1310 where either a confirmed response or an error response is placed in the 
message 920. In operation 1320, it is determined if other accounting records remain 

20 in message 910 and need to be processed. If accounting records remain unprocessed 
in message 910 then processing loops back to operation 1230. However, if all 
accounting records have been processed then processing proceeds to operation 1330. 
In operation 1330, message 920 containing all responses to all the accounting records 
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is transmitted to the seller 50 and processing for the gateway billing module terminates 
in operation 1340. 

It should be noted that the seller billing module 1900 and the gateway billing 
module 2000 processed accounting records in a batch operation. However, as would 
5 be appreciated by one of ordinary skill in the art, an accounting record may also be 
transmitted from the seller 50 to the gateway 60 as they are generated in the seller 
sales module 1 800. Such of an approach would increase the traffic between the seller 
50 and gateway 60. 

FIG. 12 is a modular configuration diagram of the embodiments of the present 

10 invention shown in FIGs. 5, 7, 8, 10, and 11. This modular configuration diagram 
illustrates the interconnection between modules in the present invention and the logical 
flow. It should be noted that the mobile station 20 certificate acquisition module 1500 
is the only module that interfaces to the GSM authentication module 1400, the A3 
algorithm module 430 and the A8 algorithm module 420, previously discussed in 

1 5 reference to FIG. 4. Using this embodiment of the present invention, the mobile station 
20 need only be authenticated by the mobile telephone infrastructure for billing and 
authentication 90 upon startup and thus imposes a minimal burden upon the telecom 
mobile telephone infrastructure for billing and authentication 90. 

Still referring to FIG. 12, once the mobile station 20 is authenticated the mobile 

20 station certificate acquisition module 1 500 is able to obtain a digital certificate from the 
gateway 60 using the gateway certificate generation module 1 600. With the certificate 
in the memory of mobile station 20 the buyer purchase module 1700 is able to make 
a purchase from a seller 50 in conjunction with the seller sales module 1 800. The seller 
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sales module 1 800 generates an accounting record which the seller billing module 1 900 

is able to submit to the gateway 60. The gateway billing module 2000 in the gateway 

60 will verify the accuracy of the accounting record and only charge the buyer 1 0 for the 

correct amount and only once for any purchase. 
5 While we have shown and described only a few examples herein, it is 

understood that numerous changes and modifications as known to those skilled in the 
: art could be made to the present invention. For example, rather than a single digital 

certificate being transmitted in message 260, several could be transmitted at one time. 

In this manner each certificate may have its own restrictions and when a buyer or user 
10 10 goes to make a purchase the certificate that most closely meets the requirements 

of the purchase may be transmitted to the seller 50. In addition, instead of transmitting 
= messages containing M1, M2, and M3 as shown in FIG. 2 it is possible for all 

messages to be authenticated using a 32-bit integrity key (Ki) that is part of the third 

generation standard security mechanism as specified in section 6.5 "Access Link Data 
1 5 Integrity" of 3G security document (3G TS 33.1 02 version 3.5.0 release 1 999) which we 

incorporate herein by reference. Therefore, we do not wish to be limited to the details 

shown and described herein, but intend to coverall such changes and modifications as 

are encompassed by the scope of the appended claims. 
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CLAIMS 



We Claim: 

1 A method of ordering, paying for and delivering goods and services using 

2 a mobile station, comprising: 

53 accessing a gateway by the mobile station and transmitting an identification code 

4 for mobile station to the gateway; 

J5 verifying the identity of the mobile station by the gateway by accessing an 

" 6 authentication center and comparing variables computed by the mobile station and 

: 7 variables computed by the gateway; 

T8 delivering a digital certificate to the mobile station by the gateway when the 

59 identity of the mobile station have been verified; and 

1 0 requesting a product or service from a seller and transmitting a digital signature, 

1 1 accompanied by the digital certificate for a signature verification key as payment to the 

12 seller. 

1 2. The method recited in claim 1 , wherein the verifying the legitimacy of the 

2 gateway by the mobile station by comparing the variables computed by the gateway 

3 with the variables computed by the mobile station, further comprises: 

4 transmitting from the mobile station to the gateway a session identification and 

5 an international mobile subscriber identifier; 
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6 transmitting the international mobile subscriber identifier from the gateway to the 

7 authentication center; 

8 transmitting from the authentication center to the gateway a random number 

9 (RAND), a signed response (SRES), and an encryption key; 

10 computing a variable M1 by the gateway and transmitting the variable M1 and 

1 1 the random number to the mobile station; 

;12 computing a variable M1' by the mobile station; and 

^1 3 verifying the legitimacy of the gateway when the variable M1 equals the variable 

U Ml". 

1 3. The method recited in claim 2, wherein the integrity key (K) is computed by 

= 2 both the mobile station and the authentication center as a function of RAND and Ki, 

^ 3 where RAND is a random number issued by the authentication center, and Ki is a 

4 secret key contained within the authentication center and the mobile station. 

1 4. The method recited in claim 3, where RAND the integrity key (K) is 

2 transmitted by the of indications center to the gateway. 

1 5. The method recited in claim 1, further comprising: 

2 computing a digital certificate by thegateway certifying the mobile station's public 

3 key (PK); 

4 computing a variable M3 by the gateway and transmitting the variable M3 and 

5 the digital certificate to the mobile station; 
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6 computing a variable M3' by the mobile station; 

7 verifying the legitimacy of the gateway when the variable M3 equals the variable 

8 M3\ 

1 6. The method recited in claim 5, wherein the variables M3 and M3' are 

2 computed using the formula M3 = M3' = MAC (K, C), where MAC is a message 

3 authentication code function, K is an integrity key and C is the digital certificate created 

4 by the gateway to certify PK. 

1 7. The method recited in claim 1 , wherein verifying the identity of the mobile 

2 station by the gateway accessing an authentication center and comparing variables 

3 computed by the mobile station and variables computed by the gateway, further 

4 comprises: 

5 transmitting a signed response, a public key and a variable M2 computed by the 

6 mobile station to the gateway; 

7 computing a variable M2' by the gateway; 

8 comparing the variable M2 and the variable M2'; and 

9 verifying the identity of the mobile station when variable M2 is equal to variable 
10 M2\ 

1 8. The method recited in claim 7, wherein variables M2 and M2' are computed 

2 using the formula M2 = M2" = MAC (K, {SRES}, PK, [{restrictions}], [alias]), wherein 

3 MAC is a message authentication code function, SRES is a signed response, K is an 
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4 integrity key, PK is a public key, restrictions are limits on the certificate and alias is an 

5 alternate identification for the mobile station. 

1 9. The method recited in claim 1 , wherein requesting a product or service from 

2 a seller and transmitting the digital signature, accompanied by the digital certificate for 

3 the signature verification key as payment to the seller, further comprises: 

" 4 transmitting the certificate with the request for the product or service; 

5 receiving an invoice from the seller indicating a price for the product or service; 

6 computing a digital signature on the invoice; 

7 approving the invoice by transmitting the digital signature to the seller; and 
= 8 accepting delivery of the product or service by the buyer. 

1 10. The method recited in claim 9, wherein the seller upon transmission of the 

2 digital signature, further comprises: 

3 verifying the digital signature; 

4 verifying that restrictions associated with the digital certificate are not violated; 

5 and 

6 creating the an accounting record for the product or service sold. 

1 11. The method recited in claim 10, further comprising: 

2 transmitting from the seller to the gateway the accounting record having an 

3 invoice and digital signature of a customer of a home network operator service; 
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4 determining by the gateway that a corresponding record exists in a local 

5 database and the validity of the digital signature; 

6 determining whether the invoice violates any restrictions contained in the 

7 corresponding record; 

8 crediting the seller with an amount equal to that in the invoice; and 

9 billing the buyer with the amount of the invoice. 

=J1 12. The method recited in claim 1 , further comprising: 

Q:2 verifying the legitimacy of the gateway by the mobile station by comparing the 

3 variables computed by the gateway with the variables computed by the mobile station. 

ZA 13. The method recited in claim 1 1 , wherein delivering a digital certificate to 

= 5 the mobile station by the gateway when the identity of the mobile station and the 

6 gateway have been verified, further comprises: 

7 requesting a digital certificate by the mobile station from the gateway used to 

8 order and pay for a product or service from a seller 

1 A system for ordering, paying for and delivering goods and services using 

2 a mobile station, comprising: 

3 a GSM authentication module to verify that the mobile station is permitted to 

4 access a telecom infrastructure; 

5 a mobile station certificate acquisition module to request a digital certificate for 

6 the mobile station from a gateway; and 
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7 a gateway certificate generation module to verify that the mobile station is 

8 authorized to receive the digital certificate by transmitting an international mobile 

9 subscriber identifier received from the mobile station to an authentication center, 

10 calculate variables based on information received from the authentication center and 

11 compare them to variables computed by the mobile station, and issue the digital 

1 2 certificate to the mobile station when the variables match. 

- 1 15. The system recited in claim 14, wherein the mobile station certificate 

; = 2 acquisition module verifies that the gateway is authorized to issue the digital certificate 

3 through the use of comparing variables computed by the gateway and the mobile 

4 station. 

1 16. The system recited in claim 15, further comprising: 

2 a buyer purchase module to request the purchase of a good or service from a 

3 seller, present the digital certificate to the seller, receive an invoice and provide the 

4 seller with a digital signature approving the purchase of the good or service; 

5 a seller sales module to verify the validity of the digital certificate and the validity 

6 of the digital signature, issue an invoice, generate an accounting record and deliver a 

7 product or service; 

8 a seller billing module to transmit to the gateway the accounting record and 

9 receive a response indicating if the accounting record has been approved for payment; 

10 and 
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11 a gateway billing module to verify the accounting record and an accompanying 

12 signature, and issue a credit to the seller and debit to the buyer when the accounting 

13 record and the accompanying signature are verified. 

1 1 7. The system recited in claim 1 6, wherein the gateway certificate generation 

2 module transmits an international mobile subscriber identifier to the authentication 
- 3 center, receives a random number, a signed response and an encryption key from the 

4 authentication center, computes a variable M1 , M2\ and M3 and verifies the validity of 

-*5 the mobile station by comparing variable M2 received from the mobile station with 

. =6 variable M2'. 

=- 1 18. The system recited in claim 14, wherein the mobile station further 

1-2 comprises: 

3 a subscriber identification module (SIM) used to compute a signed response and 

4 a ciphering key based on a secret key, installed by a home network operator service in 

5 the subscriber identification module upon signing up for a service plan, and a random 

6 number obtained from an authentication center in the home network operator service; 

7 an A3 algorithm module, contained in the SIM, is used to compute the signed 

8 response; and 

9 an A8 algorithm module, contained in the SIM, is used to compute the ciphering 

10 key, wherein through the transmission of signed responses to and from the mobile 

1 1 station a telecommunication infrastructure is able to verify that the mobile station is 

12 authorized to access the telecommunication infrastructure and the gateway. 
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1 A computer program embodied on a computer readable medium and 

2 executable by a computer for ordering, paying for and delivering goods and services 

3 using a mobile station, comprising: 

4 a GSM authentication code segment to verify that the mobile station is permitted 

5 to access a telecom infrastructure; 

6 a mobile station certificate acquisition code segment to request a digital 
17 certificate for the mobile station from a gateway; and 

8 a gateway certificate generation code segment to verify that the mobile station 

9 is authorized to receive the digital certificate by transmitting an international mobile 
_10 subscriber identifier received from the mobile station to an authentication center, 
.11 calculate variables based on information received from the authentication center and 
12 compare them to variables computed by the mobile station, and issue the digital 

-13 certificate to the mobile station when the variables match. 

1 20. The system recited in claim 19, wherein the mobile station certificate 

2 acquisition code segment verifies that the gateway is authorized to issue the digital 

3 certificate through the use of comparing variables computed by the gateway and the 

4 mobile station. 

1 21. The computer program recited in claim 19, further comprising: 

2 a buyer purchase code segment to request the purchase of a good or service 

3 from a seller, present the digital certificate to the seller, receive an invoice and provide 

4 the seller with a digital signature approval the purchase of the good or service; 
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5 a seller sales code segment to verify the validity of the digital certificate and the 

6 validity of the digital signature, issue an invoice, generate an accounting record and 

7 deliver a product or service; 

8 a seller billing code segment to transmit to the gateway the accounting record 

9 and receive a response indicating if the accounting record has been approved for 

10 payment; and 

11 a gateway billing code segment to verify the accounting record and an 

1 2 accompanying signature, and issue a credit to the seller and debit to the buyer when 

1 3 the accounting record and the accompanying signature are verified. 



1 22. The computer program recited in claim 20, wherein the mobile station 

2 certificate acquisition code segment transmits a session identification and an 

3 international mobile subscriber identifierto the gateway, receives a random number and 

4 a variable M1 from the gateway and verifies that the gateway is authentic by computing 

5 and comparing the variable M1 ' with M1 . 



1 23. The computer program recited in claim 1 9, wherein the gateway certificate 

2 generation code segment transmits an international mobile subscriber identifier to the 

3 authentication center, receives a random number, a service response and an encryption 

4 key from the authentication center, computes a variable M1 , M2', and M3 and verifies 

5 the validity of the mobile station by comparing variable M2 received from the mobile 

6 station with variable M2\ 
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Abstract of the Disclosure 

A system, method and computer program for ordering, paying for and delivering 
goods and services through the use of certificates. These certificates insure that the 
buyer is only billed once for the good or service purchased and only for the correct 
amount. This system, method and computer program employs the authentication 
center used to enable access to a telecommunication infrastructure to bootstrap a 
public-key infrastructure. This system, method and computer program will validate the 
identity of the mobile station being used utilizing long term keys stored in the mobile 
station and an authentication center. The system, method and computer program will 
then utilize these keys and variables to generate digital certificates and signatures 
which enable the purchase of goods and services using a mobile station. The gateway 
will then verify the authenticity of any charges made based on the digital certificates and 
signatures received. Thus, a user of this system, method and computer program can 
purchase goods and services without fear of fraud or errors. This mobile station may 
be a cellular phone and when used with this system, method and computer program the 
cellular phone may be used similarly to a credit card but with the advantage of little 
possibility of fraud or error. 
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